Assign an existing User-Assigned Managed Identity to VM from another subscription using Azure Policy

Azure provides a comprehensive list of built-in policy definitions (grouped by the category property defined in the metadata) which are owned and maintained by Microsoft (where the azure-policy repository contains the direct representation of these).

Built-in policy definitions usually cover a specific scenario although some flexibility might be provided through parameters that can be configured. However, customers might have specific needs not covered by an available built-in policy definition and a custom policy definition might be needed.

As a rule of thumb, if there is a built-in policy definition that covers part of a scenario, a custom policy definition can be created based on it introducing the necessary modifications.

Let’s take into consideration the [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines built-in policy definition that creates and assigns a built-in user-assigned managed identity or assigns a pre-created user-assigned managed identity at scale to virtual machines. This currently provides the user-assigned managed identity name and resource group name as parameters expecting that it is on the same subscription as the virtual machine resource. However, in a scenario where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource, a custom policy definition is required.

Before creating a custom policy, it is worth checking both the Azure Policy Samples as well as the Community Policy Repository to see whether a policy definition that matches your needs already exists. Coming back to the user-assigned managed identity assignment to virtual machines where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource scenario, a custom policy definition is available here where the user assigned managed identity resource URI (which contains the subscription ID) is provided as a parameter.

Published on: March 26, 2024

Learn more

Azure PaaS Blog articles

Azure DevOps and GitHub: Journeying into the AI Era

AI is changing how software gets planned, built, and reviewed. As teams adopt agentic development, the platform underneath those workflows mat...

7 hours ago

Introducing azure-functions-skills: An AI-Era Workspace for Azure Functions (Preview)

azure-functions-skills gives GitHub Copilot CLI, Claude Code, Codex CLI, and VS Code the skills, MCP configuration, hooks, and instructions ne...

7 hours ago

Announcing the Public Preview of Integrated Embeddings in Azure Cosmos DB: Build AI Apps With Embeddings That Stay in Sync

AI applications built on Azure Cosmos DB depend on embeddings for grounded results. Keeping them in sync with your data is the hard part: it m...

7 hours ago

Blog image

Azure PaaS Blog articles

Learn more

Assign an existing User-Assigned Managed Identity to VM from another subscription using Azure Policy

Related posts

Azure DevOps and GitHub: Journeying into the AI Era

Introducing azure-functions-skills: An AI-Era Workspace for Azure Functions (Preview)

Announcing the Public Preview of Integrated Embeddings in Azure Cosmos DB: Build AI Apps With Embeddings That Stay in Sync

Introducing OmniVec: An Open-Source Embedding Platform for AI Apps on Azure

Azure Cosmos DB All Versions and Deletes Change Feed Mode is Now Generally Available

Change Partition Keys in Azure Cosmos DB is Now Generally Available

Announcing the General Availability of Per Partition Automatic Failover for Azure Cosmos DB NoSQL

Public Preview: AI-powered Azure Cosmos DB Migration Assistant for RDBMS to NoSQL

Azure Cosmos DB MCP Toolkit Is Now Generally Available — Bringing Your Database to AI Agents at Scale

Announcing General availability of the Azure Cosmos DB vNext emulator